Forgot your password?



  • Imagine, if you'd like, the following conversation taking place before a guarded gate:

    Sentinel: Stop! Who goes there?
    Visitor: It's me, private Doe.
    Sentinel: Give me the password.
    Visitor: T-the password? I don't remember...
    Sentinel: That's fine, just choose a new one (!)


    Amazingly enough, that's exactly the kind of security employed at www.trafic.ro, a web traffic statistics service. Clicking on "I forgot my password" leads to the following form:

    http://www.trafic.ro/login/parola.php

    It's in Romanian, but here's a translation:

    Email ____________________ (The email address that represents your user on Trafic.ro)
    New password ____________________ Choose a new password to manage your account with

    [I want my password changed]

    (yes, the original form does say "email" instead of e-mail. no, I'm not a grammar nazi)

    How about that for security!



  • A nice fit for today's WTF.

    @felix said:


    (yes, the original form does say "email" instead of e-mail. no, I'm not a grammar nazi)


    Both versions are used very often, so I wouldn't dare to say one is wrong and the other correct.



  • Oh, that is brilliant!
    I tried logging in as admin@trafic.ro, but I got a message that seemed to say that no such user existed. Then i tried support@trafic.ro, and got the message "Parola incorecta"... that means bad password, right?

    So that user account exists. Then I tried to change the password using the link you provided. It processed my request, and then displayed the text "Pe adresa support@trafic.ro a fost trimis un mesaj de confirmare a schimbarii parolei.", with an OK button that lead me back to the site.

    That sort of seems like a "A confirmation email has been sent to your address", right? In that case, it isn't really a security flaw.



  • abx: were you able to login with the new password you set up? in that case. it is a security flaw.

    BTW, you interpreted the messages correctly.


    AmmoQ: I got confused about the "email" thing. You see, that's already a word in Romanian, so only the "e-mail" form is correct over here. Things are different in English, it would seem...



  • @felix said:


    AmmoQ: I got confused about the "email" thing. You see, that's already a word in Romanian, so only the "e-mail" form is correct over here. Things are different in English, it would seem...


    Well, "email" also means something in German (probably the same like in Romanian? The English word is "enamel", a coating made of molten silicate or something like that); but German people use "email" for "e-mail" anyways, since normaly it's clear what is meant from the context (and there are many other German words with different meanings...)



  • @ammoQ said:



    Well, "email" also means something in German (probably the same like in Romanian? The English word is "enamel"


    Yeah that's it. Oh well, maybe I am a grammar nazi after all... sheepish smile



  • Did you actually try it?

    Very likely it:
      Took your email and looked up an account.
      If one existed, the account was marked as having a possible new password.
      A link was emailed to that email address with a verification code.
      Upon clicking the link, the system verified the code, and set the accounts password to the "possible new password" value.


    Perhaps not a wtf.



  • @mhughes said:

    Did you actually try it?

    Very likely it:
      Took your email and looked up an account.
      If one existed, the account was marked as having a possible new password.
      A link was emailed to that email address with a verification code.
      Upon clicking the link, the system verified the code, and set the accounts password to the "possible new password" value.


    Perhaps not a wtf.


    I guess you are right, but it's still not a clever way to do it - the new password is asked for too early.
    Either they send the new password in the confirmation mail, which is insecure (plaintext passwords in a mail... do I have to say more) or they do not include the password in the confirmation mail, in which case the system also allows for attacks, since the user does not know which new password he confirms.



  • Plus, anyone with a packet sniffer pointing at that url will hear the password link being sent out over the internet, no?



  • @wing said:

    Plus, anyone with a packet sniffer pointing at that
    url will hear the password link being sent out over the internet, no?
    Unless
    I interpret your "pointing at that url", no.  I can point Ethereal
    to that URL (have it filter the packets so the viewport wont get
    flooded with pakets I'm not interested in) from my home connection (or
    at the office etc) all I want, I sure as hell hope I wont receive John
    Ro's reqeusts all the way from Romania to that Romanian webserver, talk
    about DOSsing your connection :P



    Unless of course you're sniffing on your employees/roommates on a
    hubbed network, on the router or on a monitor/mirror switchport, or you
    actually have access to that webserver (but in the last case you can
    just as well root the box and copy the DB) you would have to hack some
    routers (preferably one near the webserver) to get them to mirror those
    requests to you.



    So no, not everyone with a packetsniffer will hear it, only a few. But
    even though the scope is quite limited, it still imposes a
    security-risk.



    But then again, how DO you send your new password safely? Encrypt it
    using JavaScript and a public key (including al the salt and hashes
    that go with the replay-protection) ? I haven't really looked into that
    yet. And no, I don't mean printing it, putting it on a wooden table,
    taking a picture, etc. It would protect you from the plain-text
    sniffers, but it imposes a HUGE load on the receiving end (not to
    mention being quite user-unfriendly, not everyone has a digital
    camera...)



  • @pnieuwkamp said:


    But then again, how DO you send your new password safely?


    Definitely not by typing it in a form titled "I forgot my password" :-D

    The most secure solutions I've seen involved sending an activation code via e-mail, which allowed you access to your account just long enough to set a new password, or mailing you an autogenerated password, which you had to change right after login.

    On the other hand, who cares as long as the login form is posted via an unencrypted connection and the password is stored as plain text in the database...



  • @pnieuwkamp said:

    But then again, how DO you send your new password safely? Encrypt it using JavaScript and a public key (including al the salt and hashes that go with the replay-protection) ?

    Well, it's not JavaScript, but isn't that kinda what SSL is for?



  • So you buy an expensive cirtificate (or create your own, but then your customers browser will complain that it doesn't know the CA) for (initially) the sole purpose of safely changing passwords?

    Surely there must be a 'better' way? (as in, not quite as expensive as buying a certificate or as bothersome as explaining to your audience that the certificate is perfectly legal, because using SLL is of course, after eliminating that drawback, the best sollution)



  • @pnieuwkamp said:

    So you buy an expensive cirtificate (or create your own, but then your customers browser will complain that it doesn't know the CA) for (initially) the sole purpose of safely changing passwords?

    Yeah, that's true. :-(  I suppose the Real WTF™ is that it's so hard to get a "valid" certificate in the first place.  But surely it's saner than implementing RSA in JavaScript. ;-)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.